I have an Azure Function App. When I call it using a web browser it shows that a root certification is required, as it used the Baltimore cert.
But when i use an simple device(GSM module) or POSTMAN, i can call my API without this root certificate. Does this seem correct?
This might be because the certificate got already added one in your postman. To check it, you can navigate to your Postman >> Settings >> Certificates.
or you might have already setup the postman which calls key vault's Client Id and Certificate
REFERENCES:
Calling an Azure AD secured API with Postman
Related
So I'm trying to use 2 API's from our external data source, an organization that solely focuses on delivering data to customers (me).
They have 2 different API's:
A login API: this API is called with basic authentication (username and password) and will provide a bearer token
An API to extract data and manage filters (this API will require the bearer token acquired through the login API)
Important notes:
The login API requires a self-signed certificate, I have created a certificate on my PC using openSSL and shared the public key with the external data source.
I uploaded the .pfx file in Azure (however i cannot set the domain or port number, this seems to be an issue, I can do this in Postman but can't seem to find it in Azure)
The data source confirmed that the certificate is valid and I am able to use the certificate in Postman but only if i set the correct hostname and also the correct port number (Else i get a TLS error in Postman)
Everything is working as it should in Postman (I can call the Login API and i can use the bearer token to access and download the data using a json file made for postman that i received from the data source organization)
I uploaded the .pfx certificate in Azure using AppServices > TLS/SSL settings and upload the private certificate, however the hostname it says here is my own database name (I am not sure if this is correct, in Postman i set the hostname when i upload the certificate to be the hostname of our data source with the needed port number)
I tried making a web call in Azure Datafactory, here i've used the correct URL i also use in Postman to access the login API and selected basic authentication and filled in the credentials
However when i try to debug pipeline (only the login web call) it gives the following error:
Error code 2108
Troubleshooting guide
Failure type User configuration issue
DetailsError calling the endpoint '[LINK i put with portnumber, which is correct]'. Response status code: 'NA - Unknown'. More details: Exception message: 'NA - Unknown [ClientSideException] An error occurred while sending the request.'.
Request didn't reach the server from the client. This could happen because of an underlying issue such as network connectivity, a DNS failure, a server certificate validation or a timeout.
Source
Pipeline
Punctuality
Am i looking in the wrong direction for this kind of data retrieval? is something going wrong with the certificate? I can't seem to find where i can set the correct hostname and port number (Like i can in Postman when uploading the certificate in .pfx format) Should I use API Management Service rather than Data Factory to make the API call to the external data source?
Select the authentication method as Client Certificate in web activity settings.
Specify base64-encoded contents of a PFX file in Pfx.
I am working on setting up an API Management service on Azure. My question is related to setting up the SSL certificate that was generated using Azure Key Vault.
My certificate was created with the CNAME as *.contoso.com. My custom domain in the API Management service is api.contoso.com. Now, when I'm setting up my custom domain, there is a field to select the certificate from Key Vault which I have already done. Now when I import the API using OpenAPI spec and go to Settings; there is also an option to select a Client cert under the Gateway credentials heading (see screenshot attached).
My question is, what is the difference between these two? If I have already provided a certificate when setting up the custom domain, do I need to add the certificate to the API as well?
Just a piece of extra information. My plan is to import two APIs and set them up at https://api.contoso.com/app1 and https://api.contoso.com/app2
The backend gateway credentials are for authenticating the API Management instance ("gateway") to the backend service, that doesn't know it's being called by a gateway. It's there on the assumption that you can't always pass through a valid set of credentials from the client since one of API Management's roles is to work as an adapter for services not necessarily designed to be called by clients on the internet.
You've already worked out what the custom domain certificate is for; this is so that the API Management instance can negotiate TLS on the frontend with a certificate whose subject matches the hostname the caller connected with.
I deployed an application out to our app service in Azure, and the app needs to have SSL to run, but since it is still in development I did not want to have to purchase a cert yet, so I created a self-signed cert through openssl. The private key is 2048 bits, which should be enough, but when I go to apply the cert to the hostname, it just sits there and never applies.
Is there a special step you have to complete to get self signed certs to work, or, are you not allowed to use self signed certs in Azure App Services?
Try to use ServerCertificateValidationCallback to monitor the verification of server certificate, comparing the certificates between local and server or just returning true.
Now when you invoke the https service in your web app, the verification callback will be invoked automatically. If failed, you will see the errors. If successful, the service response will be returned.
For more details refer this article: http://devchat.live/en/2017/09/29/how-to-invoke-https-service-protected-by-self-signed-certificate-from-azure-app-service/.
I have a Logic App that calls a REST API via HTTPS.
The REST API is protected by a custom SSL certificat provided by a custom authority.
When I call it from the Logic App, I get a TrustFailure error, which is a normal situation.
But is it possible to add somewhere in Azure the trust chain in order to bypass this error?
It was confirmed by Microsoft that it is not possible to add my own authority certificates in the list of trusted authorities.
I have a cloud service and an Azure APIM instance with a self signed client cert setup on them (the cert has intended purposes of server auth and client auth).
Each API within the APIM has the client cert setup on its security. However, when I perform the call the following comes back in the trace.
"messages":["Error occured while calling backend service.","The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.","The remote certificate is invalid according to the validation procedure."
Is there anything I am missing here, searching online and cannot see anything obvious.
Yes you are correct, the option is not available in the portal to allow self-signed certificates. Here is a blogpost by Sasha Rosenbaum: http://divineops.net/enable-self-signed-certificates-in-azure-api-management-services/
Here basically you are skipping the certificate verification using "skipCertificateChainValidation" attribute.
You can create a backend entity through power shell scripts to skipcertifioc